A Research Journey into Maturing the Business Information Security of Mid Market Organizations

A Research Journey into Maturing the Business Information Security of Mid Market Organizations

Yuri Bobbert (ON2IT BV, The Netherlands & Antwerp Management School, University of Antwerp, Belgium) and Hans Mulder (Antwerp Management School, University of Antwerp, Belgium)
Copyright: © 2012 |Pages: 24
DOI: 10.4018/978-1-4666-1779-7.ch014
OnDemand PDF Download:
No Current Special Offers


Most information security methodologies are aimed at large enterprise organizations with a top-down structure, while relatively smaller organizations have insufficient knowledge to adopt this methodology. Most of the frameworks used by enterprises focus on high-level policy-making and the overwhelming amount of controls might suffocate practitioners in smaller organizations. This article examines the results of an exploratory study, performed in the Netherlands in Q1&Q2 of 2010. The study used expert panel research followed by a survey. The research found essential interventions to easily and effectively increase security maturity for mid market organizations. The research also found barriers for not implementing these interventions by the midmarket. This paper provides a minimum core set of practices for organizations. It shows that mid market organizations struggle with implementing relevant interventions. This research contributes a new pragmatic approach to assist mid market organizations’ practitioners with more guidance on how to effectively establish the desired state of security maturity.
Chapter Preview


Investigating the topic ‘information security’, it is usually seen as the responsibility of IT departments, since it is a “techy” subject (Solms, 2001; Gordon & Loeb, 2002; ISACA, 2009). Undeservedly so, because the scope of security is broader than just IT (Solms, 2005). It seems hard for certain organizations to cope with rapidly changing threats on one hand and upcoming business demands on the other (ISACA, 2009). Enterprise focused frameworks to operationalize the IT, in order to align with the business goals, seem to fail medium enterprise segments (Kluge & Sambasivam, 2008). This mid market segment with 100-2500 systems are increasingly subject to cyber threats (Day, 2009) and lack sufficient knowledge about attainable interventions in order to become security compliant (Kluge & Sambasivam, 2008) (Figure 1). The problem of insufficient knowledge about security interventions in this segment and the increase in security incidents led to the main research question: What set of interventions, based on a best practice maturity model, can be applied to enhance the maturity level of business security within midmarket organizations?

Figure 1.

Research market segmentation


Various studies (Day, 2009; May, 2003; Eloff, 2003; Moorsel, 2009; ITGI, 2008) present many interventions that contribute to an increase of the security maturity levels of an organization. However interventions that are essential to have in place and which are actually effective and easy to implement for midmarket organizations have not been studied yet. This led to a scientific approach of selecting, comparing, validating and presenting effective and easy to implement interventions that increase business information security, i.e. a core set of interventions. The data for this research was collected during the first two quarters of 2010 in the Netherlands.


Defining: Business Information Security

Since the introduction of strict laws and legislation the emphasis on data integrity, confidentiality and availability of information systems has increased (NOREA, 2004). Besides multinationals or large organizations also mid market organizations strive to implement IT governance. Stricter compliancy regulations like Sarbanes Oxley force organizations to comply and use IT governance frameworks like COBIT. Various authors (Solms, 2001) argue that information security, the discipline responsible for protecting a company's information assets against information security risks, has now become such a crucial component of good Corporate Governance, that it should rather be called Business Security instead of Information Security.

Complete Chapter List

Search this Book: